Resisting the spread of unwanted code and data

ABSTRACT

A method of processing an electronic file to create a substitute electronic file containing only allowable content data, the method includes receiving, at a computer system, an incoming electronic file containing content data encoded and arranged in accordance with a predetermined file type, determining a purported predetermined file type of the incoming electronic file based upon the encoded and arranged content data, and an associated set of rules specifying allowable content data for the purported predetermined file type, determining nonconforming data in the content data that does not conform to the predetermined data format, determining that the nonconforming data is authorized, extracting, from the incoming electronic file, the nonconforming data, regenerating the nonconforming data to create the substitute electronic file in the purported file type, said substitute regenerated electronic file containing the nonconforming content data, if the nonconforming data is determined to be authorized, wherein the incoming electronic file is not scanned for unwanted code.

RELATED APPLICATIONS

This application claims priority to, and is a continuation applicationof U.S. patent application Ser. No. 15/223,257, filed Jul. 29, 2016,which is a continuation application of U.S. Non-Provisional applicationSer. No. 14/504,844, filed Oct. 2, 2014, now U.S. Pat. No. 9,516,045,issued Dec. 6, 2016, which is a continuation application of U.S.Non-Provisional application Ser. No. 13/438,933, filed Apr. 4, 2012, nowU.S. Pat. No. 8,869,283, issued Oct. 21, 2014, which is a continuationapplication of U.S. Non-Provisional application Ser. No. 11/915,125,filed Jun. 17, 2008, now U.S. Pat. No. 8,185,954, issued May 22, 2012,which is a US national phase application under 37 USC. 371 ofInternational Application No. PCT/GB2006/002107, filed Jun. 9, 2006,which claims priority of Great Britain Patent Application No. 0511749.4,filed Jun. 9, 2005, all of which are incorporated by reference.

This disclosure relates to computer systems and methods of operatingsuch systems for resisting the spread of unwanted code and data.

In the past decade, computer systems have increasingly come under attackby unwanted code. The most extreme examples (so far) of unwanted codeare computer viruses. A computer virus, like its biological namesake, iscapable of infecting one machine and then, from there, infecting others,by commandeering the resources of the email system to send emailscontaining the virus from one computer to many others, utilising theaddress book of each computer on which it lands. The resultant wastedbandwidth is an annoyance to users. Further, many viruses perform someunwanted action on each computer on which they land, which may includeerasing files for example.

Viruses typically arrive as executable code, in a separate attachmentfile, but they may also be hidden in parts of an email, so that they maybecome active without requiring a user to explicitly detach and executecode. Many applications, such as word processors, spreadsheets anddatabases, include powerful macro scripting languages, which allow afile that appears to be a document to include a script capable ofperforming certain operations. Virus writers have made use of suchscripting languages to write macro viruses, so that email attachmentsthat include files appearing to be documents may harbour a concealedvirus.

Viruses are not the only form of unwanted code. It is common for “free”programs to be distributed with concealed “Spyware” which may, forexample, be covertly installed on a user's computer and may subsequentlyreport websites visited or other transactions to a remote computer. SomeSpyware will cause the display of unwanted advertising. Some Spywarewill attempt to cause a modem to repeatedly dial a high rate number, onwhich the Spyware writer receives income from a telecoms operator. Othertypes of harmful code include Malware, Worms, and Trapdoors.

Whilst viruses are self-propagating from one computer to another, otherforms of unwanted code are distributed by spam email, by concealeddistribution on disc, or, increasingly, by download from aninadvertently visited website. All such types of unwanted code have incommon the fact that their existence or their real purpose is concealedfrom the owners and users of the computers at which they are targeted.Whilst some types are relatively harmless, others have the capacity towipe out valuable business data and an industry for supplying anti-virussoftware has therefore developed.

Anti-virus software as it is presently known consists of a program whichis executed on the computer to be protected. Such programs typicallyoperate in a monitor mode, in which files to be accessed are checked forviruses at each time of access to the file, and in a scanning mode inwhich all files in a particular location (such as a disc drive) arescanned. Anti-virus program providers monitor virus outbreaks and, whena new virus is detected, the anti-virus program companies analyse thevirus and extract data which can be used to detect the virus. This datais then made available to the computers which run the particularanti-virus program concerned; typically, by providing it on the websiteof the anti-virus program company for downloading.

Viruses are detected in various different ways. A string ofcharacteristic code forming part of the virus may be stored and incomingfiles scanned for the presence of that string, which therefore acts as a“signature” or “fingerprint” for the virus. Alternatively, viruses maybe detected by their intended behaviour; source code or script files maybe parsed to detect predetermined operations which are characteristic ofa virus.

Unfortunately, viruses, like their biological counterparts, can easilybe “mutated”; minor changes in code, equivalent to the substitution ofuppercase and lowercase letters, can change the signature of the virus.The files of data for detecting viruses, by whatever method, aretherefore becoming extremely large, and the time taken by antivirusprograms is correspondingly increasing as the number of signatures orrules to be checked is growing. Whilst this may be acceptable in virusscanning mode, it is adding an ever-increasing latency to the time takento access files in monitoring mode. Further, as downloads become largerand are required more frequently, the risk that a user will fail todownload necessary updates, and will therefore be unprotected againstthe most recent (and therefore the most dangerous) virus, is high.

The present embodiments therefore takes an entirely different approachto protection against unwanted code. According to one aspect of thepresent embodiments, there is provided a method of receiving anelectronic file containing content data in a predetermined data format,the method comprising the steps of: receiving the electronic file,determining the data format, parsing the content data, to determinewhether it conforms to the predetermined data format, and if the contentdata does conform to the predetermined data format, regenerating theparsed data to create a regenerated electronic file in the data format.

Corresponding computer systems, programs, and media carrying suchprograms are also provided.

An embodiment operates to analyse each received file and thenreconstitute from it a substitute file. Because the original file is notitself directly stored, or accessed, on the computer to be protected, itis not, itself, capable of harming that computer. It may, for example,be stored in a bit-reversed form or other form in which it cannot beexecuted. On the other hand, the substitute file will be generated usinga generator routine which can generate only “clean” code and data. It istherefore incapable of generating unwanted code matching any code in areceived file.

Part of the present embodiments can be based on a new application ofsome long-known truths about computer files. The vast majority of filesthat are imported onto a computer nowadays are in standardised fileformats. Proprietary programs create their own file formats (and dataintended to be used by those programs must conform to those formats) butthere is sufficient demand for exchange of data between differentproprietary programs that, firstly, one proprietary program is oftensupplied with import filters to read data written by another, and,secondly, several formats exist which are not associated with anyproprietary program. Examples of such generic formats are ASCII text,rich text format (RTF), hypertext markup language (HTML) and extendiblemarkup language (XML).

Data in files must therefore conform precisely to rigid standards if itis to be read by any application program, and the formats used bydifferent files are widely known. The present inventors have realisedthat, although the formats used by files permit wide variation, the vastmajority of files contain data meeting some relatively narrow pragmaticconstraints. For example, most operating systems and applications willaccept file titles of great length, but most users, most of the time,use short and easily recognisable file names.

Accordingly, the analysis performed by an embodiment can comprisedetecting whether data which otherwise conforms to the specification forthe purported file type violates pragmatic limits. These ‘real world’constraints enable the present embodiments to detect ‘normal’ acceptablefiles. Any file content which does not correspond to pragmatic limits ofthis type is not passed to the generator program and therefore does notreach the user's computer in an executable form.

It will therefore be seen that an embodiment operates in a fundamentallydifferent manner to known anti-virus programs. Known anti-virus programsaim to detect viruses, and pass everything which is not detected to be avirus. They therefore always fail to protect the user from the greatestdanger; namely, that of unknown viruses. Each new virus that is launchedmust already have infected a number of computers before it comes to theattention of the anti-virus companies.

Further, even where anti-virus software is installed, and possesses anup-to-date set of detected data, viruses will usually be stored on thehard drive or other media of the protected computer before they can bedetected by the anti-virus software. If, for some reason, the anti-virussoftware fails to run, the virus is in place and can be activated.

US Patent Publication US 2003/0145213 discloses a system wherein a macroor malicious code is detected in a file. The file is then reconstructedin a template and the malicious code is removed from the template toprovide a clean version of the file.

By way of complete contrast, the present embodiments need not aim todetect viruses, or even to reject typically virus-like behaviour.Instead, it can reject all incoming files altogether, and substitute intheir place, where possible, generated files which cannot containunwanted code and data. Unwanted code and data can therefore beprevented from ever reaching the hard drive of the computer to beprotected in executable form, and cannot be propagated from one computerto another.

At this point, it may be mentioned that US Patent Publication2003/229810 discloses a proposal for an “optical firewall” forprotection against viruses. For reasons that will shortly becomeevident, it is not thought that this system has been put into effect (orthat it could be put into effect). It describes a system in which afirewall computer receives a file such as an image file, and displaysthe image on the display of the firewall computer. An optical sensorarray scans the image and the scanned image is then supplied to theintended recipient. Any viruses that were hidden in the image are notdisplayed, and consequently, are not passed on in the scanned image. Ina variant, a bitmap of the screen may be used instead of an actualscreen display.

For various reasons, the “optical coupler” firewall provided in theabove mentioned US patent application could not provide an effective andreliable protection against viruses.

For example, reproduction using optical character recognition (OCR)software can provide inaccurate information. Further, reproduction ofimages using the video technique can provide lower quality images thanintended. Also, the computer receiving the incoming file will becomeinfected if the incoming file contains a virus.

On the other hand, by analysing and then re-generating files instead ofexecuting them, displaying them, and optically scanning them, anembodiment is capable of providing substitute files which in the vastmajority of cases closely emulate the original file (if it is free ofunwanted code) so as to make the substitution transparent.

File formats vary in their complexity. At one extreme, text files have asimple format. Files which can contain scripts or macros (such as wordprocessing or spreadsheet files) are of intermediate complexity, whereasfiles containing code can only be fully analysed by a code parser.Whilst such code analysis is, in the long run, possible, the presentembodiments may conveniently operate to remove all macros and scriptsfrom document files, and not to pass any files consisting solely ofprograms, code, macros or scripts.

It will immediately be apparent that there will be frequent occasionswhen users may wish to receive such files. Accordingly, one embodimentmay operate alongside a filter that is arranged to filter files bysource, so as always to pass files (or files of a certain type) fromcertain sources, and to reject such files from others.

Thus, whereas an embodiment can block users from receiving code in filesfrom all sources, the parallel filter permits such files from knownsources only. Users can therefore receive files from systemadministrators or certified websites, for example, which would berejected by the embodiments. By identifying only those sources from whoma user wishes to receive code, the present embodiments can blockunwanted code.

Because the present embodiments can operate by detecting conformity withfile standards, and typical user behaviour, rather than by detectingviruses, frequent updates are unnecessary; such updates are requiredonly at the point where major changes to a standard gain widespreadacceptance, or where user behaviour has substantially changed, both ofwhich are slow processes as compared to the frantic speed with whichanti-virus updates must be distributed. Likewise, since the number oftests to be performed remains more or less stable over time, there is noincrease over time in the latency for starting programs.

These and other aspects, embodiments and advantages of the will bediscussed in the following description and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments will now be described, by way of example only, withreference to the accompany drawings in which:

FIG. 1A shows a block diagram of an electronic file system according toan embodiment;

FIG. 1B shows a computer system adapted for use in embodiments;

FIG. 1C shows a flow diagram of a process according to an embodiment;

FIG. 2 shows a block diagram of an e-mail system according to anotherembodiment;

FIG. 3 shows a flow diagram of a process according to anotherembodiment;

FIG. 4 shows an example layout of the different parts forming an e-mail;

FIG. 5 shows a flow diagram of a process according to anotherembodiment.

DETAILED DESCRIPTION

A basic system layout showing an embodiment is indicated in FIG. 1A. Anelectronic file 101 is created at a source and is transmitted through atransmission medium 103. The transmission medium 103 may be any suitablemedium for transmitting electronic files, including hardwired systemsand wireless systems. The electronic file 101 passes through thetransmission medium 103 in the normal manner until it reaches itsdestination. In this embodiment, an AV (anti-virus) application 105 isinstalled in a destination system. The AV application 105 operates suchthat the data within the incoming electronic file is not allowed toenter the destination operating system 107 until it has been analysedagainst a predefined allowable format, and, if the data is determined tobe allowable, regenerated. Therefore, the AV application 105 determineswhether the electronic file 101 is to be allowed to pass through to theoperating system 107.

FIG. 1B shows a computer system adapted to implement the embodiments.The computer 109 receives the incoming electronic file 101 at an inputinterface 111. The input interface 111 is connected to a microprocessor113, which is arranged to carry out various processes on the receivedfile. The microprocessor 113 includes a parser 115. The microprocessor113 is further connected to a memory device 117, a disk drive 119 and anumber of interfaces (121, 123) to enable connections to be made tooutput devices such as a display 125 and a keyboard 127.

So that incoming executable files are not allowed to automatically runas they enter the AV application, the system arranges for the datamaking up the incoming electronic files to be stored in memory in anysuitable scrambled format.

In this embodiment, the scrambling method reverses the order of the bitsin a byte. That is, bits 0 to 7 are received in order, but are stored ina bit reversed manner such that bit 0 is switched with bit 7, bit 1 isswitched with bit 6, bit 2 is switched with bit 5 and bit 3 is switchedwith bit 4. Therefore, as an example, a byte comprising 1 0 1 1 0 0 0 0would be stored in the following order: 0 0 0 0 1 1 0 1. In this manner,any executable code is not able to automatically run and so any infectedelectronic files are not able to infect the AV application or thedestination operating system.

As an alternative to the AV application being located at the file'sintended destination, the AV application may also be located at thesource, somewhere in the transmission medium, or elsewhere as long as itis capable of analysing the electronic file at a point along itstransmission path.

FIG. 1C shows a flow chart of the basic steps carried out by the AVapplication 105 in this embodiment in order to determine whether theelectronic file 101 is allowed to pass through to the destinationoperating system 107. At step S109, the electronic file 101 is inputinto the AV application 105 using any suitable means. The input meansmay vary depending on the type of electronic file being received and themedium over which it is being transmitted. In this embodiment, theelectronic file 101 is accepted into the AV application.

At step S111, analysis is carried out by a conformity analysing deviceto determine if the electronic file 101 conforms to a predeterminedformat. The AV application is designed only to allow through electronicfiles that conform to one of a plurality of stored known, allowable,pre-defined formats. Generally, a file consists of content data encodedand arranged in accordance with a file type specification comprising aparticular set of rules, each type of file (text, HTML, XML, spreadsheetand so on) having an associated set of rules. Common file types aresometimes indicated by the suffix of the file name (e.g. .pdf, .txt,.doc), and also or alternatively by the first few bytes of data in thefile. Many file types include a header indicating something about thestructure of the file, followed by the content data (e.g. text, numbers,audio or image data).

The content data may include parameters (for example, tags to indicatethat the content data is to be presented in bold). The rules making upthe file type specification may specify the values or range of that suchparameters can take on. They may also specify, for example, theallowable values or range of values that the content data can take on.

An application program capable of opening a file of a particular typeincludes a parser for applying the rules making up the file typespecification to a file, to extract the content data for presentation orprocessing. For example, a word processing application may be capable ofopening files in its proprietary file format (e.g. Microsoft Word™), theproprietary file formats of other word processing applications, andgeneric file formats such as Rich Text Format (RTF), ASCII and HTML. Anapplication program capable of storing content data as a file of aparticular type includes a generator for applying to content data therules making up the file type specification to generate a file in therequired format.

In the present embodiment, for each file type, a predetermined format isstored. The predetermined format generally includes the rules making upthe file specification. However, the predetermined formats only includethe rules relating to frequently used parts of the format. Additionally,the predetermined formats include additional rules constraining thevalues and/or ranges that content and parameters can take on, so as onlyto include commonly and frequently used values and ranges. Thus, onlythose parts of a file of a given type which consist exclusively offrequently or commonly occurring data and parameters can be analysedaccording to the corresponding stored predetermined format of thisembodiment.

Examples of components of data types that are not allowed to passthrough the system (because the predetermined formats do not include therules relating thereto since they are infrequently used) are complexmacros in word-processed files, and I-frames in HTML pages. Examples ofinfrequently used data values that are not allowed to pass through thesystem (because the predetermined formats are limited to values thatexclude them) are control characters in an ASCII file other than thecommonly-used TAB, CR/LF and LF characters.

The conformity analysing device determines if the electronic file is inthe format it says it is, and that all parameters conform to thepre-determined format associated with that particular electronic filetype. If the electronic file does not conform to any pre-determinedformat it is not regenerated, and so is effectively blocked, andpreferably erased at step S113. However, if the electronic file doesconform to the pre-determined format, the content data is extracted fromit (and temporarily stored in a data structure), and is re-generated(from the temporary data structure) by the conformity analysing devicein the pre-determined format associated with that electronic file type,to make up a substitute file, as shown at step S115.

The re-generated electronic file is then forwarded, for example, to theoperating system at step S117 in order for it to be processed in anormal manner. All content data that can be extracted from the fileusing the rules making up the pre-determined format is extracted andregenerated, and any parts that cannot be extracted cannot therefore beregenerated.

In this manner, due to the conformity check and re-generation of thefile, viruses are unable to enter and infect the operating system; infact, nothing but content data in a commonly occurring format isextracted and consequently regenerated.

In situations where an electronic message can be broken down intosub-parts, some sub-parts of the electronic message may conform to apre-determined format, whereas other sub-parts may not conform. Insituations like this, the AV application determines if the total numberof sub-parts that do conform meets a substantiality test (e.g. if themajority, or the most important parts, conform), and if so, regeneratesthe sub parts of the electronic message that do conform.

The non-conforming subparts of the message are not re-generated.Instead, the AV application inserts relevant warning text in theelectronic message informing the recipient that part of the message wasnot allowed through. As an option, this warning text may indicate thereasons for not allowing the sub-part through.

Further, a part within a sub-part of the electronic file may also beblocked, i.e. not regenerated and preferably erased, if it does notconform to the allowable pre-determined format for that part. That is,for example, if a string of characters in an ASCII electronic fileincludes a control character (e.g. the ‘BEL’ character), this string ofcharacters may be replaced with a text warning inserted by the AVapplication informing the intended recipient that the string has beenleft out of this part of the re-generated electronic file because thepart does not conform to the pre-determined format. The conformityanalysing device does not specifically look for the control charactersthat are not allowed (e.g. the ‘BEL’ character), but instead passes onlythose control characters which are allowed, as defined by thepre-determined allowable format.

Alternatively, the non-conforming control character could be replaced bya space or completely removed. The different options chosen depend upon,for example, the environment in which the AV application is running andhow important it is for at least the minimum of conforming informationto be allowed to pass through the AV application to its destination.

A further alternative to this embodiment will now be described. Upon thedetermination by the AV application that an electronic file, or sub-partthereof, does not conform and so is not permitted to pass through to thedestination operating system, the original electronic file is passed toa threat filter application that determines whether there is any threatassociated with the electronic file, or sub-part thereof.

The determination is made based on what the system expects to receivefrom certain sources. The system makes this determination by reviewing alist of data types against a predetermined list of sources stored inmemory, to see if the data type is accepted from that source; in otherwords, emails are filtered by source. Therefore, if files that containdata that is non-conformant are received from the same source, where thenon-conformant data is known not to be a threat, the originalnon-conforming data is allowed through to the operating system. In thismanner, the system comprising the AV application and the threat filterapplication dynamically allows the majority of safe electronic filesthrough to their intended destination.

In the following described other embodiment, the electronic files aree-mails transmitted over the Internet, from an originator to an Internetservice Provider (ISP). The ISP forwards the e-mails to an e-mail clientserver, whereupon receipt, the e-mail client server forwards the e-mailto the intended recipient's Inbox.

FIG. 2 shows a layout of an e-mail system according to this embodimentin which the AV application of the present embodiments is incorporated.An e-mail is forwarded by a sender from a source location 201. Thee-mail is forwarded via the Internet 203 to an Internet Service Provider(ISP) 205, determined by the domain name incorporated within the e-mail.A recipient's e-mail client server 207 is connected to the ISP 205through direct open connections. The first connection is a Simple MailTransfer Protocol (SMTP) outgoing connection 209 for forwarding outgoinge-mail from the e-mail client server 207 to the ISP 205. A secondconnection is a POP (Post Office Protocol) incoming connection 211,which retrieves e-mail from the ISP 205.

The AV application 105 is situated at the ISP 205. The AV application105 resides on the input/output ports connected to the recipient'se-mail client server 207, in order to analyse all outgoing and incominge-mails being sent and received by the e-mail client server 207.

In this embodiment, the AV application 105 is a piece of computer code,which is implemented using known computer programming techniques. Alle-mails that are sent to the e-mail client server 207 must pass throughthe AV application 105 before the e-mails are able to enter the e-mailclient server 207. Likewise, all e-mails forwarded by the e-mail clientserver to the ISP 205 must pass through the AV application 105 prior toentering the ISP 205.

The AV application 105 analyses the incoming e-mail message by parsingthe data as it enters the application. As in the previous embodiment,the data is stored in a scrambled mode in order to stop any executablefiles from running. The AV application 105 determines if the separateparts of the incoming e-mail conform to a pre-determined allowableformat, and, if the part does conform, it re-generates each part of thee-mail message. Therefore, any virus within any e-mail is not allowedthrough to infect the recipient's system, nor pass from the recipient'ssystem to the ISP.

A conformity analysing device is used in this embodiment to analysespecific data types to see if it conforms to a pre-defined format forthat data type (as discussed in the previous embodiment) and extractthat content data which does conform. The conformity analysing devicethen regenerates the data using the pre-defined allowable format forthat data type. Each type of data is analysed and re-generated by itsown specific conformity analysing device.

Each conformity analysing device runs a specific set of rules on thedata depending on the type of data received. The rules are defined bythe official pre-defined specification for the file type, and real worldcommonly occurring (and hence safe) examples of known data types.Generally the rules allow only a subset of files which conform to thefile type specification, but they may relax certain rules of theofficial specification where these are commonly breached. For example,email addresses should contain no spaces, but some popular emailapplications breach this rule, so that emails which violate thespecification in this regards are common, and thus the predeterminedformat for analysing emails according to this embodiment accepts e-mailaddresses which contain a space, and thus the embodiment analyses andextracts such email addresses.

Also, the conformity analysing device may check a certain parameterwithin a data file. For example, if the header states that the file isan RTF (Rich Text Format) file, then the first few bytes of data areread to determine if this is correct.

FIG. 3 shows a flow diagram of how a system works that incorporates anAV application according to this embodiment. As can be seen in FIG. 3,at step S301, the e-mail is received at the ISP over the SMTP incomingconnection.

At step S303, a protocol conformity analysing device carries out aprocess to read the incoming e-mail's basic format, and regenerate thee-mail so that it conforms to the basic e-mail protocols. An e-mailreader that is non-conformant reads the e-mail. The read data is thenpassed to an e-mail writer that does conform to basic e-mail protocols.In this manner, common non-conformities are converted in to a conforminge-mail. For example, if a recipient's e-mail address is badly formed,the e-mail writer re-writes it so that it does conform.

A further example is when an e-mail message is received without a‘From:’ header. In this case, the e-mail message is encapsulated in awhole new e-mail message including a ‘From:’ header.

Other parameters within the e-mail are also made to conform. Forexample, line length, correct ASCII character codes being used, correctBase 64 coding being used where appropriate, intact header information(‘To:’, ‘Subject:’ etc.), a space between the header and the body of thee-mail, and so on.

If the e-mail is so badly formed that part of it cannot be rewritten,then it is determined whether a reasonable e-mail still exists if thenon-conforming part were missing. If it is determined that the processwill still result in a reasonable e-mail, the e-mail is rewritten withthe non-conforming part missing. A warning text may be inserted in itsplace.

Also, the protocol conformity analysing device may reject the wholee-mail. For example, if the protocol conformity analysing device detectsthat non-conforming base 64 encoding is being used on a large piece ofdata within the e-mail, the e-mail is completely rejected at step S305.

If the protocol conformity analysing device determines that the e-maildoes conform to e-mail protocols, it is regenerated by the protocolconformity analysing device and passed on to the next step in theprocess.

All e-mails should conform to the current RFC standard for e-mail (i.e.RFC 822 and its successors). This standard defines how the e-mail isformed. After the e-mail passes through the protocol conformityanalysing device, the RFC 822 conformity analysing device checks to seeif the e-mail conforms to the RFC 822 standard. The RFC 822 conformityanalysing device carries out this conformity check by first breaking thee-mail up into its separate component parts by finding the boundarieswithin the e-mail (as discussed below), and then parsing each componentpart of the e-mail to see if it conforms to RFC 822.

It will be understood that updates would be required when the RFCstandard is updated to ensure that the RFC 822 conformity analysingdevice is able to check the conformity of all known data types.

As is well known, an e-mail is made up of a number of separate parts, asshown, for example, in FIG. 4. The e-mail starts with an RFC 822 header401, which defines a number of fields, such as ‘From:’, ‘To:’ and‘Subject:’ etc. Next is the MIME header 403, which defines a number offields for use in the extension protocol, such as ‘Content-Type:’ thatdefines the text used to indicate the boundary between the differentparts of the e-mail.

After the headers (401 & 403), the first boundary 405 is indicated. Thenext part of the e-mail starts with a further MIME header 407, whichdefines the format used in this part. In this example this partcomprises text matter to be displayed in a text format. The block oftext 409 therefore follows. At the end of the text block 409 is afurther boundary 411.

A further MIME header 413 indicates what format the next part of thee-mail will be in. In this example, the next part of the e-mail is amixed text and HTML formatted block 415. A further boundary 417indicates the end of that part to the e-mail.

For the last part of the e-mail, the final MIME header 419 indicates thedata type for an attachment to the e-mail, which in this case is a zipfile. The ZIP file 421 is base 64 encoded and added to the e-mail. Afinal boundary 423 then indicates the end of the e-mail.

At step S307 in FIG. 3, the RFC 822 conformity analysing device parsesthe ASCII characters forming the e-mail using a parser. The RFC 822conformity analysing device is then able to detect the boundaries in thee-mail and check to see if certain parameters conform to a knownacceptable pre-determined format. For example, the RFC 822 conformityanalysing device checks the line length to see if it conforms to the RFC822 standard and so only line lengths of 2000 or less are regenerated.

Further checks can be made to see if the parsed data within the e-mailconforms to the RFC 822 standard. For example, it is checked whether thecharacters within the e-mail are known acceptable ASCII characters asdefined in the standard, whether the information in the header is asdefined in the standard and whether the header length conforms to thestandard definition. These checks listed are merely examples of a largegroup of different checks the RFC 822 conformity analysing devicecarries out (the rest of which will be apparent to one skilled in theart), and as such, these embodiments are not limited to those listedabove.

As well as analysing the parsed data to see if it conforms to the basicRFC 822 standard, the RFC 822 conformity analysing device also checks tosee if certain parameters conform to real world examples of RFC 822standard e-mails. That is, the specification of certain parameters maybe left open for users to define, whereas, in the real world, onlyreasonable values would be used. For example, an e-mail would usuallyonly comprise a minimal number of parts. So, if an e-mail is receivedthat includes 1000 boundaries, this would not be a real world example ofRFC 822 standard e-mails, and so would be blocked, i.e. not regeneratedand preferably erased, by the RFC 822 conformity analysing device.

For each component part of the e-mail comprising data that needs furtherconformity checking, the component part is forwarded at step S309, inthis embodiment, in parallel to a separate conformity analysing devicedepending on the type of data the part corresponds to. That is, if thee-mail part being analysed is defined as text, the ASCII charactersmaking up the text are forwarded to a text conformity analysing device.If the e-mail part being analysed is defined as a TIFF file, thecharacters making up the TIFF file are forwarded to a TIFF conformityanalysing device.

At step S309, each of the conformity analysing devices analyses the dataforwarded to it to see if it conforms to its purported format. If thedata does conform it is regenerated by the conformity analysing device.If any non-conformity is within the data, the data is either left out,or, if possible, regenerated by the conformity analysing device so itdoes conform. One example of regenerating the data so it does conform isthat of adding nested brackets in an RTF file wherever they are missing.

If an e-mail comprises a nesting of different types of data, conformityanalysing devices are recursively called, so that several specificdevices are run in sequence and each being put on hold at each pointthat a further type of data is discovered. In this manner, an e-mailwith a zip file, that includes a word processing document, whichincludes a JPEG picture file could run through the sequence of differentconformity analysing devices (zip, word processing, JPEG) in order todrop down through the nesting of files and analyse each file insequence. At the end of the analysis, the file is reassembled using theconforming regenerated parts.

Upon a determination at step S311 that enough parts of the e-mail havebeen regenerated to form a suitably coherent, understandable andworthwhile e-mail, the data is reassembled using the RFC 822 conformityanalysing device using the regenerated parts, as shown at step S313.This ensures that the regenerated e-mail is forwarded in the correctformat.

The AV application then forwards the re-generated e-mail to the intendedrecipient using the SMTP protocol, as indicated in step S315.

However, if the AV application determines at step S311 that enough partsof the e-mail have not been regenerated to form a useful e-mail, thee-mail is rejected at step S317. During step S317, warning text isforwarded to the intended recipient of the e-mail informing them that ane-mail intended for them was rejected by the system. The warning textmay include details of why the message was deleted and furtherinformation intended to help the recipient identify either the sender,or the reason why the e-mail was rejected.

Described in detail below are some example conformity analysing devicesfor use in this embodiment, which could be used during step S309. Asshown at step S309, the component part of an e-mail that purports to betext, based upon the information in either the RFC 822 header, MIMEheader or the file extension, is passed to a text conformity analysingdevice. The text conformity analysing device parses the text data todetermine if it conforms to its pre-determined allowable format asdescribed below.

As there are a number of different types of text file, such as, forexample, Comma Separated Variable (CSV) and Rich Text Format (RTF), thetext conformity analysing device must first differentiate what type oftext file the parsed data is purporting to be. All files attached toe-mail will have a file extension associated with it that indicates whatthe file type should be. The text conformity analysing device analysesthe parsed file extension within the MIME header to determine if thetext file is a pure ASCII file. If so, it is only necessary to use anASCII conformity analysing device, as described below.

However, if the text conformity analysing device, upon analysis,determines that the text file is a file type other than pure ASCII, forexample a CSV file, then a CSV conformity analysing device will also becalled up to analyse and regenerate the CSV data. Firstly however theASCII conformity analysing device analyses the ASCII characters makingup the text file within the e-mail to see if the text string conforms tothe ASCII pre-determined format, and, if there is conformity,regenerates the ASCII file.

The ASCII conformity analysing device parses the data to ensure the fileconforms to the minimum ASCII pre-defined format. For example, the ASCIIconformity analysing device only allows the ASCII characters 32 to 127,and four control characters, ‘line feed’ (LF=10), ‘carriage return’(CR=13), ‘tab’ (TAB=9) and ‘vertical TAB’ (VT=11) to be regenerated andpassed through the system.

Other control characters, such as the bell character (BEL=7), are not inthe pre-determined allowable format for an ASCII file, as defined by theAV application. So, the ASCII conformity analysing device does notregenerate the ‘BEL’ character in the block of ASCII codes being parsed,but will reject that ASCII character.

Other examples of analysis the ASCII conformity analysing device carriesout are:

Is the natural line length less than 1024 characters?

Are word lengths less than 25 characters?

Is the percentage of spaces to characters under a pre-defined limit?

If at any time the ASCII conformity analysing device is not able toregenerate the data for that part of the ASCII code because it does notconform to the basic pre-determined format, the ASCII conformityanalysing device checks the data to see if it conforms to some othertype of ASCII code. For example, source code, BinHex, Base 64. If thedata does conform to another type of ASCII code, the data is forwardedto the relevant conformity analysing device for that ASCII type, whichwould be, for the examples shown above, a source code conformityanalysing device, a BinHex conformity analysing device or a Base 64conformity analysing device. It will be understood that a Base 64 ASCIIcode file may also include other types of files within the encoded data.These other types of files would then also be forwarded to the relevantfile type conformity analysing device, and so on.

The conformity analysing devices for the further types of ASCII codewould have further conformity limitations for the data within this partof the e-mail. For example, the file could be checked to see if it isproperly structured code, has correct line lengths, and so on. Once eachconformity analysing device has determined that the content andparameter data conforms, and accordingly extracted it, the extractedcontent data is regenerated in the allowable pre-defined format usingthe conformity analysing device.

Once the ASCII conformity analysing device has finished its task, theregenerated ASCII data is forwarded to the relevant text conformityanalysing device that the data purports to be. In this embodiment, thetext file is a CSV file, and so the data is forwarded to the CSVconformity analysing device.

Examples of checks carried out by the CSV conformity analysing deviceare as follows. The CSV conformity analysing device parses the ASCIIdata to ensure there are no long text paragraphs, as paragraphs are notpart of the pre-defined format for CSV files. Any data that cannot beparsed because it does not conform is rejected by the CSV conformityanalysing device. The CSV conformity analysing device also checks, forexample, to see if the number of de-limiters conforms to the normalpre-determined number of de-limiters in a CSV file. When the CSVconformity analysing device determines that the data does conform, thedata is regenerated into the same format.

In this manner, only parts of a text file that do conform to apre-determined format are allowed to pass to the next stage of the AVapplication. Only the conforming parts of the text file are regeneratedwith the other regenerated data type portions before being reassembledand forwarded to the destination. Therefore, any parts of the e-mailthat contain a virus would not conform and so would be blocked, i.e. notregenerated and preferably erased. Any non-conforming parts are notallowed to pass through the AV application and infect the operatingsystem.

A further example conformity analysing device is a TIFF (Tagged ImageFile Format) conformity analysing device, used to analyse and regenerateTIFF files.

A TIFF file has a structured format with a set of directories and tagsarranged in a pre-defined format. It is not possible to determinewhether the image data itself represents a meaningful image. However,the TIFF conformity analysing device parses and analyses the image datato ensure that it falls within pre-defined limits.

The header information in the TIFF file is parsed and analysed to see ifthe correct information is complete and intact. For example, the TIFFconformity analysing device checks to see if the header informationincludes resolution, size and depth fields that are within reasonablelimits for a TIFF image. Further, the TIFF conformity analysing devicedetermines if the number of strips indicated in the header matches theimage data.

TIFF files are typically compressed, usually using LZW(Lempel-Ziv-Welch) compression techniques. Each TIFF strip isdecompressed by the conformity analysing device to see if the striplength is within reasonable pre-defined limits. For example, if thestrip length is not equal to or less than a maximum image size limit(for example, greater than a standard AO paper size), the strip isrejected. As soon as the TIFF conformity analysing device rejects onestrip, the whole TIFF file is rejected.

The TIFF conformity analysing device also carries out analysis on thetags (i.e. parameter data) within the TIFF file. The tags are checkedagainst a pre-defined allowable format to see if, for example, the tagsare in the specified order (according to the directory of taginformation in the header) and the tags are inter-related in the correctmanner.

When the TIFF conformity analysing device determines that the dataconforms to the pre-defined allowable format, the data is regenerated tocreate a regenerated TIFF file having the original file name (where thefile name conforms to the predetermined format). The regenerated TIFFfile is forwarded to the e-mail server to be re-assembled into ane-mail.

It is also possible to have other image types within the TIFF fileitself. For example, JPEG images may be encapsulated within the TIFFfile. If a different image type is detected by the TIFF conformityanalysing device it forwards the data associated with that image to afurther conformity analysing device, in this example, a JPEG conformityanalysing device. The JPEG conformity analysing device then parses andanalyses the data to see if it conforms to an expected JPEG format, andif so, regenerates the data in the JPEG format. The regenerated data isthen re-assembled into the regenerated TIFF file, which is then used tore-assemble a regenerated e-mail. This e-mail is then passed on to thee-mail server.

A further option available in this embodiment is for the AV applicationto insert warning text in place of non-conforming parts of the e-mail.That is, if a conformity analysing device parses the data for thenon-conforming part and determines that a portion of the part does notconform to the pre-determined allowable format, upon regeneration of thee-mail, the conformity analysing device inserts warning text in place ofthe non-conforming part informing the intended recipient of the e-mailthat a portion of the e-mail was rejected by the AV application.Alternatively, if a conformity analysing device rejects a whole part ofan e-mail due to non-conformity, the AV application inserts warning textwithin the e-mail informing the intended recipient that a part of thee-mail was blocked, i.e. not regenerated and preferably erased, by theAV application.

Referring to FIG. 5, another embodiment will now be described. Thisembodiment incorporates all the features of the previous embodiment,including any of the options discussed in relation to the previouslydiscussed embodiments.

FIG. 5 shows a flow diagram of a process according to this embodiment.

This embodiment relates to the situation whereupon the AV applicationhas blocked a portion, part or the whole of an e-mail (referred to as‘non-conforming part’ in this embodiment). At step S501, the AVapplication makes the determination as to whether the part isnon-conforming and so is to be blocked. If blocked by the AVapplication, the non-conforming part is forwarded to a threat-filterapplication to ascertain whether the non-conforming part is a threat, asshown at step S503.

The threat-filter application determines if the non-conforming part isconsidered a real threat based upon the system's user preferences. Thesystem has stored within its memory a list of file types and sourcesassociated with these file types that are not considered a threat.Therefore, the system can determine, based on the sender of the file andthe file type, whether the file is to be allowed through.

If the determination at step S503 determines that the file type is notone of those listed as being allowable from the associated source, it isblocked at step S505.

If the file type is considered to be allowable, the non-conforming partbypasses the AV application at step S507. The AV application regeneratesthe rest of the received file at step S509, and reassembles theregenerated conforming parts and the bypassed non-conforming parts ofthe file at step S511.

For example, if a banking system receives from a known sender a largenumber of e-mails including spreadsheets that incorporate complicatedmacros, these may be outside the pre-determined allowable format for amacro within a spreadsheet attachment, and so the macro conformityanalysing device would block this part of the e-mail.

However, as the banking system is able to determine who is sending thee-mails, and the sender is entered as a trusted partner of the bankingsystem within a database for these file types, the spreadsheet withinthe e-mail is not considered to be a threat. Therefore, the system usercan set up the threat-filter application to allow these non-conformingmacro parts to bypass the AV application and be re-assembled into thee-mail with the regenerated parts of the e-mail.

Alternatively, the threat-filter application can be operated in a modewhereby it determines if a regenerated file received from the AVapplication should be allowed to continue through to the destinationsystem. If the AV application receives a file that includesnon-conforming parts that in themselves are not sufficientlynon-conforming for the AV application to reject the whole file outright,but result in a regenerated conforming file that is substantiallydifferent from the original file, the regenerated file is forwarded tothe threat-filter application. For example, the original file size maybe considerably larger than a regenerated conformant file size due to alarge number of re-written single words within a macro not beingregenerated by the AV application.

The threat-filter application makes a determination as to whether thefile type is being sent from an approved source for that file type, andif so, will allow the file type to pass through the system.

It will be understood that embodiments are described herein by way ofexample only, and that various changes and modifications may be madewithout departing from the scope of the embodiments.

It will be understood that the present embodiments may be implemented inany system wherein electronic files are moved from a source to adestination. The method of sending the electronic files for the purposesof these embodiments is not limited to any particular method. That is,for example, the electronic files may be transferred from one componentto another component within the hardware of a computer system.Alternatively, for example, the electronic files may be transferred overan air interface from a base station to a mobile telephone device. Also,for example, the electronic files may be transmitted through a localarea network (LAN), wide area network (WAN) or over the Internet.

Further, it will be understood that, as a further option for anyembodiment previously described, an overriding facility may be providedfor users to manually override any of the determinations made by eitherthe AV application or the threat-filter application when the electronicfile is received. That is, when a conformity analysing device within theAV application blocks a portion, part or whole e-mail, due to itsnon-conformity, the user is given an option to still allow thenon-conformity to be regenerated and re-assembled in the e-mail.

One example of carrying out this option is to supply the intendedrecipient with a text warning asking them whether the non-conformantanalysed e-mail should be allowed to pass through the system as if itdid conform to the pre-defined allowable format. A response to thiswarning provides the conformity analysing device with an instruction toregenerate, if possible, and re-assemble the e-mail. Or, alternatively,the original e-mail is allowed to bypass both the AV application andthreat-filter application to pass through the system withoutregeneration.

Further, it will be understood that the AV application as described inthe previous embodiment may be located somewhere other than at the ISPe-mail server. For example, the AV application may be located on andinstalled in the recipient's e-mail client server. In this manner, anye-mails forwarded by the e-mail client server to a recipient's Inbox ona hard disk drive are the regenerated e-mails as previously described.

Further, it will be understood that the AV application may be hardwiredin a semiconductor device, such as, but not limited to silicon,gallium-arsenide (GaAs), indium-phosphide (InP). That is, the AVapplication has a quantifiable task, which does not require the need forupdates to the process of defining a pre-defined conforming format. Theinstructions required to carry out the task of the AV application,including parsing, analysing, regeneration and re-assembling may berealised in any suitable semiconductor device. Further, the instructionsrequired to implement the AV application might be stored in asemi-permanent or permanent memory device. The memory device would thenbe operable to run the AV application in association with a connectedprocessor. In these cases, it is then possible to provide theembodiments separate from the computer to be protected, as a separatedevice (for example in a card such as a modem card, network adaptercard, or disc drive controller) including processor and memory hardwareseparate to those of the computer to be protected. That has theadvantage of isolating the incoming electronic file completely from thefile system and other resources of the computer to be protected, andstoring it in a location which cannot normally be written to or updated,so as to avoid “trap-door” attacks on the AV application itself; inother words, a level of physical security. The semiconductor device mayconsist of a processor and a memory device wherein the processor runsthe AV application from the memory device and stores incoming files inthe memory device to isolate them.

Further, it will be understood that the semiconductor device describedabove may be provided as part of on any suitable network card usingconventional methods. In this manner the network card may be utilised ina communications network as a means to ensure the network is protectedfrom unwanted code and data by regenerating the received electronicfiles using the methods described.

Further, it will be understood that the electronic files as described inthe previous embodiment may be received by a computing device, whereinthe electronic files are stored on a removable memory device. Forexample, the electronic files may be stored on a USB disk device, asmart card, a secure digital (SD) memory device, a multimedia card (MMC)memory device, a compact flash (CF) card type 1 or 2, a smart media (SM)card, a XD card, a floppy disk, a ZIP drive, a portable hard drive orany other suitable memory device that may connected, directly or over awireless medium, to a computing device.

Further, it will be understood that an operating system as described inthis application can be any system that uses files. For example, anembedded system, router, network card or the like.

Further, it will be understood that other scrambling methods may beutilised to ensure any received executable files cannot be automaticallyexecuted. For example, the scrambling method stores each pair ofincoming bytes using a byte swap method. In this example, if 6 bytes, ABC D E F, are being received by the AV application with byte A beingreceived first and byte F being received last, they are stored in memoryin the following order: B A D C F E. The first byte (A) is stored in asecond memory location, and the second byte (B) is stored in a firstmemory location. This reversal occurs in subsequent memory locations foreach pair of bytes received. In this manner, any executable code is notable to automatically run and so any infected electronic files are notable to infect the AV application or the destination operating system.

For the avoidance of doubt, protection is hereby sought for any and allof the novel embodiments described above, singly and in combinations.

Having described various aspects and embodiments and modificationsthereof, persons skilled in the art will appreciate that the embodimentscan be modified in arrangement and detail without departing from theprinciples thereof. All embodiments, variations and modifications comingwithin the spirit and scope of the following claims are considered to beclaimed.

What is claimed is:
 1. A method of processing an electronic file tocreate a substitute electronic file containing only allowable contentdata, the method comprising: receiving, at a computer system, anincoming electronic file containing content data encoded and arranged inaccordance with a predetermined file type; determining a purportedpredetermined file type of the incoming electronic file based upon theencoded and arranged content data, and an associated set of rulesspecifying allowable content data for the purported predetermined filetype; determining nonconforming data in the content data that does notconform to the predetermined data format; determining that thenonconforming data is authorized; extracting, from the incomingelectronic file, the nonconforming data; and regenerating thenonconforming data to create the substitute electronic file in thepurported file type, said substitute regenerated electronic filecontaining the nonconforming content data, if the nonconforming data isdetermined to be authorized, wherein the incoming electronic file is notscanned for unwanted code.
 2. A method according to claim 1 in which thedata format corresponds to a subset of the predetermined set of rulesfor each file type.
 3. A method according to claim 1, furthercomprising: determining conforming data in the content data thatconforms to the predetermined data format, including determining whetherthe conforming content data conforms to prior known examples ofacceptable data.
 4. A method according to claim 3 in which the dataformat only includes allowable control characters.
 5. A method accordingto claim 3 in which the data format contains a plurality of data items,each with an associated predetermined size limit.
 6. A method accordingto claim 5 wherein the predetermined size limit is the size of a line inan image file.
 7. A method according to claim 1, wherein: the methodfurther comprises storing the incoming electronic file in a scrambledformat in memory; parsing the content data includes parsing the contentdata in the scrambled format in the memory in accordance with thepredetermined data format comprising the set of rules corresponding tothe determined purported predetermined file type; and determiningnonconforming data in the content data includes determining thenonconforming data in the content data in the scrambled format in thememory that does not conform to the predetermined data format.
 8. Amethod according to claim 7, wherein each byte of data is stored in abit reversed order.
 9. A method according to claim 7, wherein the datais stored such that each pair of data bytes received is placed in areversed memory order.
 10. A method according to claim 1, furthercomprising forwarding the substitute regenerated electronic file only ifthe content data from within the electronic file is authorized.
 11. Amethod according to claim 10 further comprising forwarding the incomingelectronic file if a portion, part or whole of the content data does notconform only when the intended recipient of the electronic file haspre-approved the sender of the electronic file.
 12. A method accordingto claim 1, further comprising replacing any content data that does notconform to the predetermined format with warning text.
 13. A methodaccording to claim 1, wherein the incoming electronic file is an e-mailand the method further comprises forwarding the regenerated e-mail tothe intended recipient if the content data is authorized.
 14. A methodaccording to claim 13, wherein the substitute regenerated e-mail isforwarded from an e-mail client to a hard disk drive.
 15. A methodaccording to claim 13, wherein the substitute regenerated e-mail isforwarded from an Internet server provider server to an e-mail clientserver.
 16. A method according to claim 1, further comprising receivingthe incoming electronic file from a removable memory device, andforwarding the substitute regenerated electronic file to a computingdevice.
 17. A non-transitory computer readable medium comprising acomputer program adapted to cause a processor to perform: receiving, atthe processor, an incoming electronic file containing content dataencoded and arranged in accordance with a predetermined file type;determining a purported predetermined file type of the incomingelectronic file based upon the encoded and arranged content data, and anassociated set of rules specifying allowable content data for thepurported predetermined file type; determining nonconforming data in thecontent data that does not conform to the predetermined data format;determining that the nonconforming data is authorized; extracting, fromthe incoming electronic file, the nonconforming data; and regeneratingthe nonconforming data to create the substitute electronic file in thepurported file type, said substitute regenerated electronic filecontaining the nonconforming content data, if the nonconforming data isdetermined to be authorized, wherein the incoming electronic file is notscanned for unwanted code.
 18. A semiconductor device comprising amemory including instructions for performing: receiving, at the computersystem, an incoming electronic file containing content data encoded andarranged in accordance with a predetermined file type; determining apurported predetermined file type of the incoming electronic file basedupon the encoded and arranged content data, and an associated set ofrules specifying allowable content data for the purported predeterminedfile type; determining nonconforming data in the content data that doesnot conform to the predetermined data format; determining that thenonconforming data is authorized; extracting, from the incomingelectronic file, the nonconforming data; and regenerating thenonconforming data to create the substitute electronic file in thepurported file type, said substitute regenerated electronic filecontaining the nonconforming content data, if the nonconforming data isdetermined to be authorized, wherein the incoming electronic file is notscanned for unwanted code.
 19. A semiconductor device according to claim18, wherein the semiconductor device is a semi-permanent or permanentmemory device.
 20. A network card comprising a semiconductor deviceincluding a memory including instructions to cause a processor to:receiving, at the computer system, an incoming electronic filecontaining content data encoded and arranged in accordance with apredetermined file type; determining a purported predetermined file typeof the incoming electronic file based upon the encoded and arrangedcontent data, and an associated set of rules specifying allowablecontent data for the purported predetermined file type; determiningnonconforming data in the content data that does not conform to thepredetermined data format; determining that the nonconforming data isauthorized; extracting, from the incoming electronic file, thenonconforming data; and regenerating the nonconforming data to createthe substitute electronic file in the purported file type, saidsubstitute regenerated electronic file containing the nonconformingcontent data, if the nonconforming data is determined to be authorized,wherein the incoming electronic file is not scanned for unwanted code.21. A method according to claim 1, further comprising: determiningconforming data in the content data that conforms to the predetermineddata format; determining the conforming data to be free of viral andotherwise unwanted code and data and suitable for regeneration; andadding the conforming data to the substitute regenerated electronicfile.